Versions Compared

Old Version 14

changes.mady.by.user Stefan Winter

Saved on

compared with

New Version 15

changes.mady.by.user Stefan Winter

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

All of these files, but no others, are copied out of the CA environment for further use in operations (e.g. onto a USB stick).

If you ever need to revoke an intermediate, the corresponding scripts can be used (one variant for RSA, one for ECDSA, both to be called with the correspodning serial number of the certificate).

eduroam Managed IdP Server Certificate and CA set

eduroam installers will need to be configured with a server certificate trust (i.e. a root CA and a server name). To support the partitionability of the RADIUS service, each eduroam NRO gets its own self-signed root. This means approx. 200 self-signed CA certificates and server certificates need to be provisioned, all served by the RADIUS servers. The code to generate both the CA hierarchy and the FreeRADIUS configuration snippets to activate all those distinct personalities is available on GitHub.

In principle, one calls the script addnro.py with the ISO country code of a eduroam NRO and a URL to the future CRL Distribution Point, i.e.

scripts/addnro.py 
LU 
http://hosted.eduroam.org/server-ca/LU.der

For initial bootstrapping, there is a list of NROs and a script TBD which generates the needed NRO,CRLDP pairs. After running that script, the full list of all server certificates is generated with

scripts/addnro.py filename.txt

This will take a LONG while to complete.

Copy the CA certificates (without private key) to the web interface.

Copy the server certificates, the private keys and the FreeRADIUS config snippets to the RADIUS servers.

Interplay of the eduroam Managed IdP system components

...